X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=input%2Fhowto%2Fpuppet-setup.mdwn;h=edb9baeb85e003a63b1f7cdc6d2b925aea31657b;hb=5fd0c69849d3d336139a5a9bbdb66b400d7d7911;hp=dfdeee64b2dd7ef43db754a268c0ee593df15882;hpb=8982268985a8bd89aec8008b3ec24425c82cde43;p=mirror%2Fdsa-wiki.git diff --git a/input/howto/puppet-setup.mdwn b/input/howto/puppet-setup.mdwn index dfdeee6..edb9bae 100644 --- a/input/howto/puppet-setup.mdwn +++ b/input/howto/puppet-setup.mdwn @@ -10,79 +10,37 @@ Make sure you have set up the IP address for the new machine in ud-ldap. After that run puppet on puppetmaster once, so the ferm config get adjusted. - : __handel__ && puppetd -w 5 -t --factsync --environment=production - - : ::client:: && echo 'deb http://mirror.netcologne.de/debian-backports/ lenny-backports main' > /etc/apt/sources.list.d/backports.org.list && - apt-key add - << EOF && - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: GnuPG v1.4.9 (GNU/Linux) - - mQGiBEMIgw4RBADueqAzlq+rQT9JYSSWnNzo6C+9crI8lzW/fcl2Q3PO97MOQTOx - Qsf/lOh0Ku7O+VdBa+BwVPuUkSw6wTY5Ku1y/6r1BQzJ9oHkryDDJXsHzKhpdyFc - /lD4hNGqRkiNg5ulwAI0O1eqffPWDmeR9ZzSsqM40f1U4TNLfPAu1viWxwCgnbWz - onY6RqSYlRsDQaPsNTwieVEEAJeX2FGgNepD1SvfEremAkWCrYYlSZI76iTIf6bd - kGkWqIT0vJyE2MNenhDJ2ebbHJVFmL9x8S3m1daC4Zwnacm7aoCY/QgMJ+Js1Fex - Acev48W9KHgpVbFMd1t8KAwRbmFcQf0C/FZUbE7xScpTxS4z3SsMOuRyfnGpDOi6 - m/SnA/9wpquf3pPwbPykzKWNJEDouiJgt0zaFLauKDPeyTWeJ6htaAPDglArewdq - bJ9M8QgLFtzjhg/fBQlRRUk7YP4OYtp1OdPkg2D/1rPQNySWlDf21T3N/K8ydKhR - bYi+AsPuJLQUi3d+lVTFOebaL9felePvDC2/Eod7PSD1/rnkZ7Q0QmFja3BvcnRz - Lm9yZyBBcmNoaXZlIEtleSA8ZnRwLW1hc3RlckBiYWNrcG9ydHMub3JnPohGBBAR - AgAGBQJDgImkAAoJEHFe1qB+e4rJ2x4An2oI4xJpDvOx8uDIo9ihG1M0MpUqAJ9S - cqVUmiyYSPtu8MwcZecy9kmOIYheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD - FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AniaEBvlr4oVFMrGgPiye7iE/jv68AJ48 - OkIfwcKJt7N8ImPAboeimFvWgIheBBMRAgAeBQJDCIMOAhsDBgsJCAcDAgMVAgMD - FgIBAh4BAheAAAoJEOqOiyEWuhNsDt4AnjdB14rGa/rzz1ohwsi1oEnDRYuyAJ44 - Nv8MTPjOaeEZArQ0flg8OXwF34hGBBARAgAGBQJEeI+KAAoJEHvDNTBle/A9pDwA - mwVpbaoH1hebV4MgXIpRvTQiL2keAJ9ryd2LvhbPd5EZM1C3Nsar2/2CgIhGBBAR - AgAGBQJHE7HYAAoJEGvFvIY3KyPVlwEAoJyGuJ/SsJTlyIVbulWYp3U/uZQTAJ4l - 40SrE/wwDeSIrhWNkmmNPbnz54hGBBARAgAGBQJHKneLAAoJEBRrPPJWJbOATcsA - n3I8y3pJN6jkmnhUQepfa7jJoDY2AKClHVXYuNZpc2jZKyruwgwck+jCabkCDQRD - CIMREAgAzXu6DGSDAz4JH+mlthtiQwNZFU8bjWanGT3DL6zubxwc3ZQmRaMOiVuv - JUuaJv8fdGRSvp09dP2/x5mzq2rACiEnDwZssNSK5sigxgy2W9zeO9bOtg6bhqZL - wlsL8Y2xZhyGL3qGeP4zL1QbXZ1QdJuO90Xu7GWYS6Wsj+Y6dUsZFYvTZwSiLkEm - gFUTxkNue3DQtZ/KNkwoKc+aqU+S7gDNStQDvTNtR6IV11KbKcY1iQ0B2bkh4zSh - WwloIr83V6huAhfH8GA7UW6saRJAof5DJWUb+PRmU2TAOOlyZoM4nMH+sFFDPOeG - 8fbecwlox5BRTMqcCB5ELbQXoVZT+wADBQf/ffI9R53f9USQkhsSak+k82JjRo9h - qKAvPwBv3fDhMYqX3XRmwgNeax2y6Ub0AQkDhIC6eJILP5hTb2gjpmYYP7YE/7F1 - h37lUg7dDYeyPQF54mUXPnIg3uQ/V9HBTY+ZW8rsVe1KRvPAuVFU77FfCvIFdLSX - Vi1HSUcGv9Y7Kk4Tkr7vzKshlcIp6zZrO0Y3t/+ekBwTTQqEoUylVYkCSt3z6bjp - VWbepkL88rbqJnPueTATw9shjbFYaND8cXZox9tQmlOIZ6gDeH1YvFf7ObRLxULm - 7C6hwik6agtXWkNABVXSxM6MB4hcP9QC+FEhK6y/7wC3SyNRBuFujDG1aohJBBgR - AgAJBQJDCIMRAhsMAAoJEOqOiyEWuhNsVVMAoJ1gbL0PHVf7yDwMjO3HuJBErxLd - AJ4v9ojJnvJu2yUl4W586soBm+wsLg== - =n4L0 - -----END PGP PUBLIC KEY BLOCK----- - EOF - apt-get update && - apt-get install --no-install-recommends puppet/lenny-backports libaugeas-ruby1.8/lenny-backports augeas-lenses/lenny-backports && - /etc/init.d/puppet stop && - puppetd -w 5 --debug -t --factsync + : __handel__ && puppet agent -t --environment=production + + : ::client:: && me=$(hostname -f) && [ "$me" != "${me%debian.org}" ] && apt-get update && + apt-get install -y --no-install-recommends puppet libaugeas-ruby1.8 augeas-lenses lsb-release && + service puppet stop && + (puppet agent -t || true ) && + cd /var/lib/puppet/ssl/certificate_requests && + echo sha256sum output: && echo && + sha256sum $me.pem && + echo && echo && cd / This will not overwrite anything yet, since handel has not signed the client cert. Now is the time to abort if you are getting cold feet. Compare incoming csr request: -on handel: - - : __handel__ && echo -n 'Client name: ' && read client && - sha1sum /var/lib/puppet/ssl/ca/requests/$client.debian.org.pem -on new client: - - : ::client:: && sha1sum /var/lib/puppet/ssl/certificate_requests/$(hostname).debian.org.pem - -If you're satisfied, sign the request on handel with: - - : __handel__ && puppetca --sign $client.debian.org - -bootstrap client knowledge of puppet ca: -on handel: - - : __handel__ && echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && +on handel, paste the sha256output:: + + : __handel__ && echo "paste sha256sum output now:" && + read sha256 filename && + cd /var/lib/puppet/ssl/ca/requests && + ( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) && + echo -e "$sha256 $filename" | sha256sum -c && + puppetca --sign $(basename "$filename" .pem) && + echo && echo && echo && + echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' && cat /var/lib/puppet/ssl/certs/ca.pem && echo 'EOF' && - echo "cat > /var/lib/puppet/ssl/certs/$client.debian.org.pem << EOF " && - cat /var/lib/puppet/ssl/ca/signed/$client.debian.org.pem && - echo 'EOF' + echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " && + cat /var/lib/puppet/ssl/ca/signed/$filename && + echo 'EOF' && + cd / and execute this on the client. @@ -93,16 +51,20 @@ although the config files should remain identical before and after. Then run (this will change the configs in /etc): - : ::client:: && puppetd -w 5 --debug -t --factsync + : ::client:: && puppet agent -t --pluginsync -This run will start puppet after reconfiguring it, so if you are -unhappy with what just happened, you'll need to stop it again to do +This run will start puppet after reconfiguring it, so if you are +unhappy with what just happened, you'll need to stop it again to do repair. Double check apt - the puppet setup usually results in duplicate apt sources, since we ship a few under sources.list.d. Remove any unnecessary entries from sources.list. +On handel, make sure the certs exist for the new host + + : :: handel :: : && sudo -u puppet make -C /srv/puppet.debian.org/ca/ install + We ship a samhain config file that includes /lib and /usr/lib. This will almost certainly be different than the config file on the machine, so it will result in 1000s of files changed.